Kibana Open Redirect (ESA-2025-10)
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2
Affected Configurations:
Kibana installations making use of Short URLs within the Discover, Dashboard, and Visualization Library features.
Solutions and Mitigations:
The issue is resolved in version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.
For Users that Cannot Upgrade:
Self-hosted
Installations with a Basic license should have administrators restrict access to Kibana features which grant the ability to generate Short URLs:
- Dashboard => All
- Discover => All
- Visualize =>All
- Saved Objects Management => All
- Top-level “All” privilege granted to one or more spaces
Installations with a Gold, Platinum, or Enterprise license can restrict access to short-url creation via sub-feature privileges within the Dashboard, Discover, and Visualize features above. This will allow administrators to continue allowing read/write access to the aforementioned features, but restrict the ability to generate Short URLs.
Cloud
Administrators should restrict access to Kibana features which grant the ability to generate Short URLs:
- Dashboard => All
- Discover => All
- Visualize =>All
- Saved Objects Management => All
- Top-level “All” privilege granted to one or more spaces
Administrators can optionally restrict access to short-url creation via sub-feature privileges within the Dashboard, Discover, and Visualize features above. This will permit read/write access to the aforementioned features, but restrict the ability to generate Short URLs.
Severity: CVSSv3.1: 4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID: CVE-2025-25012